How to Save a Company: Skype Phishing Prevention

In the previous article on Skype Phishing, I explored the possibilities of using Skype for Business as a channel for carrying out targeted attacks on specific high-value individuals in companies. If you did not read that article, do so now as rest of this article assumes you did: https://www.nixu.com/blog/how-own-company-skype-phishing-101

At the end of that article, I provided some brief guidance on how to address the concern depending on your role and needs. Problem is, depending on your usage of Skype for Business, the problem can be fiendishly hard to solve currently.

I strongly believe that the only party who can really solve this issue in a reasonable way is Microsoft. While this is not a vulnerability in the technical sense, it’s still a design weakness in Skype for Business that makes it extremely hard to distinguish between trusted and untrusted external parties. That said, waiting for Microsoft to adjust their software isn’t going to get anything fixed fast.

Just so nobody can say I didn’t try, here’s a breakdown of things that different parties can do in order of what makes the most sense to me.

Microsoft and O365 / Skype for Business -teams

As stated, Microsoft is the key player here who can affect how Skype for Business and Office 365 in general works. The real fix should come from them eventually. There are few things that would make it significantly harder to abuse these features.

Skype for Business client should indicate more clearly that the user on the other end is not necessarily trusted:

• Change the “External Network” text to something that makes sense to casual user and make it much easier to see
• For messages coming from domains you’ve never contacted before, display a popup on the first time to warn the user that this contact is from domain X and whether the user wishes to continue
• Make it clear in UI which contacts are external – color change, highly visible banner, whatever makes sense

Office 365 should offer more options beyond white/black list for trusting external domains:

• Currently you have to either not allow anyone (not good), trust everyone equally (also not good) or have the administrator individually whitelist every domain (really difficult in practice)
• Having two tiers of trusted vs. untrusted domains might help – the visual features discussed in SfB client recommendations could be removed for trusted externals while untrusted ones could still connect but with visible warnings against phishing

Most of these challenges have already been addressed to a degree on e-mail side. Office 365 and Outlook do a decent job at pointing out when the sender is likely fraudulent. Since e-mail is by far more complex in what you can do, getting this right on Skype for Business shouldn’t require too much work.

IT Organizations

Although Microsoft holds the keys to ultimately resolving this issue, waiting for anything to come out may not be a rational strategy for IT organizations. There are things you can already do currently to protect against these attacks. The question is, do you need to use fully open federation where you allow anyone to send messages to you? For some, this is highly desirable. For others, there is no real reason for anyone in the organization to use Skype for Business in this manner.

Based on extremely limited research into this, it seems like many companies have the feature enabled but do not actually know this. This is the worst possible situation – the feature is not used because nobody knows about it but it can surprise your employees at the wrong time. If your organization fits into this group, be sure to re-evaluate the situation and act accordingly.

If your organization does not need or use open federation, make sure the feature is disabled:

• You can disable open federation from Office 365 admin tools by setting the federation mode to either completely off or into whitelist mode with empty whitelist
• It’s worth checking what your settings are currently – it’s surprisingly easy to end up with this feature enabled without knowing about it

If your organization does need to talk to other organizations over Skype for Business, consider if you know who these parties are in advance:

• Whitelisting specific organizations like supplies, IT service providers etc. can be a good solution when you have a trusted inner circle that rarely changes
• In these cases, enable whitelisting mode and whitelist the relevant domains

If your organization needs open federation and the ability to communicate to anyone without first adding them to whitelist, you may want to focus on awareness:

• Ensure that your users are aware that open federation is enabled and they may be approached by users from other companies – this may not be clear to everyone
• Check the tips on next part and communicate these to your users

End-users

If your organization has open federation enabled on Skype for Business to anyone, you need a be somewhat careful when answering messages from people you don’t know. Furthermore, you need to be careful even with people you do know – or think you do. Phishing through Skype for Business can look extremely believable which makes this tough one to beat.

Your biggest clue is the “External Network” text as seen in the following picture:

If you are talking to someone in your company but see this text, watch out! There is a possibility that the person is not who they appear to be. You can also open the Contact Card and check their e-mail. If the address isn’t what you would expect, you may be a target of this attack.

Here are few tips that may help you beyond just looking out for signs of something being wrong:

Stop considering Skype for Business as “internal communication” – it’s not!

• It’s easy to fall into this trap and trust the person messaging you just because of the channel

Always think first when someone asks you to do something unusual:

• Sense of urgency in doing something and people asking you to help them out in trouble are some of the most common tricks to talk people into making bad decisions
• If you suspect that something is wrong, consider verifying the request through other channels (e.g. phone, SMS) or provide them with instructions instead of doing the task yourself
• Gut feeling can be a good indicator here – if the discussion seems unusual, it very well might be for real

Don’t send sensitive materials over Skype for Business:

• Usually there is a better process for handling sensitive materials – use that instead
• Prefer to handle the materials in IT systems designed for this and hand out links rather than the materials directly – accessing links typically requires authentication

Hopefully some of the proposed changes are eventually implemented into O365 or Skype for Business to prevent this type of abuse. In the meantime, make sure to evaluate your situation, inform others and raise awareness.